CNNVD-202510-769 Information
CNNVD ID
CNNVD-202510-769
Related CVE
- CNNVD Published: 2025-10-06
Description (Chinese)
langchain-text-splitters是LangChain开源的一个Python包。 langchain-text-splitters 0.3.8版本存在代码问题漏洞,该漏洞源于HTMLSectionSplitter类允许使用任意XSLT样式表,可能导致XML外部实体攻击,攻击者可读取任意本地文件或执行外部HTTP请求。
Description (English)
langchain-text-printers are a Python pack from Langchain Open Source. langchain-text-splitters version 0.3.8 has a code problem loophole, which stems from the HTMLSectionSplitter type allowing the use of an arbitrary XSLT style sheet, which may lead to an attack by an outside XML entity, where the aggressor can read any local document or execute an external HTTP request.
Hazard Level
Medium
Vulnerability Type
代码问题
Affected Vendor
LangChain
Published
2025-10-06
Last Modified
2026-02-24
References
https://huntr.com/bounties/cf78abbb-df3b-43de-b6ee-132b73ff8331 https://vigilance.fr/vulnerability/langchain-text-splitters-external-XML-entity-injection-via-HTMLSectionSplitter-48563
Patch
https://github.com/langchain-ai/langchain
Share on: